Skip to main content

Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis


Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Publisher note

To access the full article, please see PDF.

Author information



Corresponding author

Correspondence to Li Zonglin.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Zonglin, L., Guangmin, H., Xingmiao, Y. et al. Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis. EURASIP J. Adv. Signal Process. 2009, 752818 (2008).

Download citation


  • Excellent Performance
  • Anomaly Detection
  • Abnormal Behavior
  • Full Article
  • Traffic Signal